Hexpm
CVE-2026-23939
MEDIUM
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in hexpm hexpm/hexpm ('Elixir.Hexpm.Store.Local' module) allows Relative Path Traversal. This vulnerability is associated with program files lib/hexpm/store/local.ex and program routines 'Elixir.Hexpm.Store.Local':get/3, 'Elixir.Hexpm.Store.Local':put/4, 'Elixir.Hexpm.Store.Local':delete/2, 'Elixir.Hexpm.Store.Local':delete_many/2.
This issue does NOT affect hex.pm the service. Only self-hosted deployments using the Local Storage backend are affected.
This issue affects hexpm: from 931ee0ed46fa89218e0400a4f6e6d15f96406050 before 5d2ccd2f14f45a63225a73fb5b1c937baf36fdc0.
AnalysisAI
Path traversal in hexpm's Local Storage backend allows unauthenticated attackers to read sensitive files through relative path manipulation in the file storage routines. Only self-hosted hexpm deployments using Local Storage are affected; the managed hex.pm service is not vulnerable. An attacker can access arbitrary files accessible to the hexpm process without authentication or user interaction.
Technical ContextAI
Classified as CWE-22 (Path Traversal). Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in hexpm hexpm/hexpm ('Elixir.Hexpm.Store.Local' module) allows Relative Path Traversal. This vulnerability is associated with program files lib/hexpm/store/local.ex and program routines 'Elixir.Hexpm.Store.Local':get/3, 'Elixir.Hexpm.Store.Local':put/4, 'Elixir.Hexpm.Store.Local':delete/2, 'Elixir.Hexpm.Store.Local':delete_many/2.
This issue does NOT affect hex.pm the service. Only self-hosted deployme
RemediationAI
Monitor vendor advisories for a patch. Validate and sanitize file path inputs. Use allowlists.
Insufficient session expiration in hexpm. Password reset tokens never expire, enabling persistent account takeover.
Improper input sanitization in hexpm's SharedAuthorizationView module allows unauthenticated attackers to inject malicio
An uncontrolled resource consumption vulnerability in the Hex.pm package manager allows authenticated attackers to cause
Hexpm's OAuth implementation fails to enforce read-only API key restrictions during token exchange, allowing an attacker
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today